Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29701 | 3 Ibm, Linux, Microsoft | 4 Engineering Workflow Management, Rational Team Concert, Linux Kernel and 1 more | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 as well as IBM Rational Team Concert 6.0.6 and 6.0.6.1 could allow an authneticated attacker to obtain sensitive information from build definitions that could aid in further attacks against the system. IBM X-Force ID: 200657. | |||||
| CVE-2021-36411 | 2 Debian, Struktur | 2 Debian Linux, Libde265 | 2023-08-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service. | |||||
| CVE-2021-35452 | 2 Debian, Struktur | 2 Debian Linux, Libde265 | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc. | |||||
| CVE-2021-42748 | 1 Fastlinemedia | 1 Beaver Builder | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API. | |||||
| CVE-2021-28715 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-08-08 | 2.1 LOW | 6.5 MEDIUM |
| Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714) | |||||
| CVE-2021-28714 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-08-08 | 2.1 LOW | 6.5 MEDIUM |
| Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714) | |||||
| CVE-2021-36774 | 1 Apache | 1 Kylin | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions. | |||||
| CVE-2022-20015 | 2 Google, Mediatek | 25 Android, Mt6739, Mt6757 and 22 more | 2023-08-08 | 2.1 LOW | 4.4 MEDIUM |
| In kd_camera_hw driver, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05862966; Issue ID: ALPS05862966. | |||||
| CVE-2021-20148 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2023-08-08 | 3.5 LOW | 4.3 MEDIUM |
| ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain. | |||||
| CVE-2021-44717 | 3 Debian, Golang, Opengroup | 3 Debian Linux, Go, Unix | 2023-08-08 | 5.8 MEDIUM | 4.8 MEDIUM |
| Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. | |||||
| CVE-2021-45494 | 1 Netgear | 6 Rbk352, Rbk352 Firmware, Rbr350 and 3 more | 2023-08-08 | 2.7 LOW | 4.5 MEDIUM |
| Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files. This affects RBK352 before 4.4.0.10, RBR350 before 4.4.0.10, and RBS350 before 4.4.0.10. | |||||
| CVE-2021-4068 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient data validation in new tab page in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-38009 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in cache in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-45097 | 1 Knime | 1 Knime Server | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content. | |||||
| CVE-2021-0986 | 1 Google | 1 Android | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192247339 | |||||
| CVE-2021-43224 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| Windows Common Log File System Driver Information Disclosure Vulnerability | |||||
| CVE-2021-42295 | 1 Microsoft | 2 365 Apps, Office | 2023-08-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| Visual Basic for Applications Information Disclosure Vulnerability | |||||
| CVE-2021-39940 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. | |||||
| CVE-2021-39933 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack. | |||||
| CVE-2021-43536 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. | |||||
| CVE-2021-36718 | 1 Synel | 2 Eharmonynew, Synel Reports | 2023-08-08 | 6.8 MEDIUM | 6.5 MEDIUM |
| SYNEL - eharmonynew / Synel Reports - The attacker can log in to the system with default credentials and export a report of eharmony system with sensetive data (Employee name, Employee ID number, Working hours etc') The vulnerabilety has been addressed and fixed on version 11. Default credentials , Security miscommunication , Sensetive data exposure vulnerability in Synel Reports of SYNEL eharmonynew, Synel Reports allows an attacker to log into the system with default credentials. This issue affects: SYNEL eharmonynew, Synel Reports 8.0.2 version 11 and prior versions. | |||||
| CVE-2021-32591 | 1 Fortinet | 4 Fortiadc, Fortimail, Fortisandbox and 1 more | 2023-08-08 | 2.6 LOW | 5.3 MEDIUM |
| A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets. | |||||
| CVE-2021-29719 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client side vulnerabilties due to a web response specifying an incorrect content type. IBM X-Force ID: 201091 | |||||
| CVE-2021-43327 | 1 Renesas | 4 Rx65, Rx65 Firmware, Rx65n and 1 more | 2023-08-08 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered on Renesas RX65 and RX65N devices. With a VCC glitch, an attacker can extract the security ID key from the device. Then, the protected firmware can be extracted. | |||||
| CVE-2021-42299 | 1 Microsoft | 2 Surface Pro 3, Surface Pro 3 Firmware | 2023-08-08 | 3.6 LOW | 5.6 MEDIUM |
| Microsoft Surface Pro 3 Security Feature Bypass Vulnerability | |||||
| CVE-2021-40824 | 1 Matrix | 2 Element, Matrix-android-sdk2 | 2023-08-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients. | |||||
| CVE-2021-40823 | 1 Matrix | 1 Javascript Sdk | 2023-08-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients. | |||||
| CVE-2021-26099 | 1 Fortinet | 1 Fortimail | 2023-08-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext. | |||||
| CVE-2021-23993 | 1 Mozilla | 1 Thunderbird | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1. | |||||
| CVE-2021-33624 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-08-08 | 4.7 MEDIUM | 4.7 MEDIUM |
| In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db. | |||||
| CVE-2021-23395 | 1 Nedb Project | 1 Nedb | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | |||||
| CVE-2021-31232 | 1 Linuxfoundation | 1 Cortex | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list. | |||||
| CVE-2021-31231 | 1 Grafana | 1 Enterprise Metrics | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list. | |||||
| CVE-2021-23364 | 1 Browserslist Project | 1 Browserslist | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries. | |||||
| CVE-2021-28099 | 1 Netflix | 1 Hollow | 2023-08-08 | 3.6 LOW | 4.4 MEDIUM |
| In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. | |||||
| CVE-2021-23362 | 2 Npmjs, Siemens | 2 Hosted-git-info, Sinec Infrastructure Network Services | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | |||||
| CVE-2021-25292 | 1 Python | 1 Pillow | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. | |||||
| CVE-2021-23126 | 1 Joomla | 1 Joomla\! | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret. | |||||
| CVE-2021-25761 | 1 Jetbrains | 1 Ktor | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible. | |||||
| CVE-2022-27490 | 1 Fortinet | 4 Fortianalyzer, Fortimanager, Fortiportal and 1 more | 2023-08-08 | N/A | 6.5 MEDIUM |
| A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.x, 6.0.x allows an attacker which has obtained access to a restricted administrative account to obtain sensitive information via `diagnose debug` commands. | |||||
| CVE-2022-48254 | 1 Huawei | 2 Leia-b29, Leia-b29 Firmware | 2023-08-08 | N/A | 4.6 MEDIUM |
| There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication. | |||||
| CVE-2022-36797 | 1 Vmware | 1 Ixgben | 2023-08-08 | N/A | 5.5 MEDIUM |
| Protection mechanism failure in the Intel(R) Ethernet 500 Series Controller drivers for VMware before version 1.10.0.1 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-29494 | 1 Intel | 58 C621a, C627a, C629a and 55 more | 2023-08-08 | N/A | 6.5 MEDIUM |
| Improper input validation in firmware for OpenBMC in some Intel(R) platforms before versions egs-0.91-179 and bhs-04-45 may allow an authenticated user to potentially enable denial of service via network access. | |||||
| CVE-2022-26841 | 3 Intel, Linux, Microsoft | 3 Sgx Sdk, Linux Kernel, Windows | 2023-08-08 | N/A | 5.5 MEDIUM |
| Insufficient control flow management for the Intel(R) SGX SDK software for Linux before version 2.16.100.1 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-26343 | 1 Intel | 418 Xeon Bronze 3104, Xeon Bronze 3104 Firmware, Xeon Bronze 3106 and 415 more | 2023-08-08 | N/A | 6.7 MEDIUM |
| Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-21216 | 1 Intel | 132 Atom C5310, Atom C5310 Firmware, Atom C5315 and 129 more | 2023-08-08 | N/A | 6.8 MEDIUM |
| Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access. | |||||
| CVE-2022-47339 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-08-08 | N/A | 6.7 MEDIUM |
| In cmd services, there is a OS command injection issue due to missing permission check. This could lead to local escalation of privilege with system execution privileges needed. | |||||
| CVE-2022-33216 | 1 Qualcomm | 36 Qam8295p, Qam8295p Firmware, Qca6574a and 33 more | 2023-08-08 | N/A | 5.5 MEDIUM |
| Transient Denial-of-service in Automotive due to improper input validation while parsing ELF file. | |||||
| CVE-2022-34362 | 3 Ibm, Linux, Microsoft | 5 Aix, Linux On Ibm Z, Sterling Secure Proxy and 2 more | 2023-08-08 | N/A | 4.6 MEDIUM |
| IBM Sterling Secure Proxy 6.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 230523. | |||||
| CVE-2022-45190 | 1 Microchip | 2 Rn4870, Rn4870 Firmware | 2023-08-08 | N/A | 5.3 MEDIUM |
| An issue was discovered on Microchip RN4870 1.43 devices. An attacker within BLE radio range can bypass passkey entry in the legacy pairing of the device. | |||||